Threat of the Week: DDoS — Are Credit Unions Next?

Fingers now are united in pointing to Iran as the nation state behind a wave of powerful Distributed Denial of Service (DDoS) attacks that recently have crippled the Web services of banks such as Bank of America, Capital One, Wells Fargo and HSBC.

And that raises the question: will credit unions be next?

Especially worrisome about the latest attacks is that they are vastly more powerful than what has been seen before. Rather than leveraging off a network of zombie PCs – so called botnets – the latest attacks hijack data centers, letting loose a potent gusher of nonsensical information that overwhelms undefended Internet gateways and can also stun even well-protected ones.

The sophistication of the attack is why fingers are pointed at Iran.

For the record, authorship of the attacks has been claimed by a group called Izz ad-Din al-Qassam Cyber Fighters. In a recent post, it stated: “Rulers and officials of American banks must expect our massive attacks! From now on, none of the U.S. banks will be safe from our attacks.”

Credit unions are not mentioned, so are they safe? Expert opinion is divided.

On the one side, there are experts who believe that credit unions are too small to win the kinds of headlines the attackers crave.

In that regard, Adam Bosnian, an executive vice president at security provider Cyber-Ark, said to me in an interview: “You have to ask, what’s the goal of the attacker? So far it seems to be to raise awareness that Iran can be a thorn in the United States’ side.”

But other experts suggested that large, military and government-related credit unions might be attractive targets to Izz ad-Din.

Still others think corporate credit unions are a weak link.

Paul Ferguson, vice president of threat intelligence at Internet Identity, said that in his opinion “credit unions are vulnerable and we see the attackers shifting targets. They are nimble. It is easy for them to repoint the attack at another institution” – and if they decide to go after credit unions, woe to the cooperatives, he suggested.

That – plus the persistence of lower-level DDoS mounted by people with grudges (such as ex-employees) – is why many experts now say credit unions cannot assume they have a free pass to dodge DDoS.

So, what should they do?

Hemant Jain, a vice president at security company Fortinet, told me in an interview that basic DDoS protection for a smaller credit union likely would run around $300,000 for a DDoS mitigation appliance, with annual service fees adding another 10% or 15% to the price tag.

That spend would be ample for warding off old-style DDoS attacks.

What the appliance does is inspect incoming traffic. It knows what DDoS attacks have looked like and it blocks them. Impact on legitimate users is minimal and, at least with traditional DDoS attacks, the institution’s operating abilities should be uninterrupted. Nation state attacks – with their high volumes – may however overwhelm most appliances.

That is why another strategy – sometimes used instead of an appliance, often used in tandem with – is enlisting Internet service provider assistance to help thwart aggressive DDoS attacks.

At Internet traffic company Akamai, for instance, what it provides customers in inspection of all incoming traffic before that traffic reaches the institution. Akamai “scrubs” traffic it deems unsafe, meaning it is removed from the stream (and should cause no disruption to the institution).

Rich Bolstridge, chief strategist, financial services at Akamai, said the costs for “smaller firms” would run $10,000 and upwards per month. He added that the tools “work. We are successfully handling attacks for our banking customers on a daily basis.”

Many, bigger financial institutions deploy some combination of both approaches, said the experts. For day-to-day protection they rely on in-house appliances. When the DDoS volume exceeds their ability to handle it internally, they turn to outside contractors – with whom they have prior agreements – to step in and help block the incoming bad data. They also may set up an alternative incoming Internet pipe to assist legitimate incoming traffic in getting to its destination.

These protections are not cheap and protecting against nation state attacks gets pricey.

Worrisome is that “most credit unions are naked. They don’t have any protections,” said Bolstridge.

Even worse, when an institution is taken down by the current attackers, they gloat in public Internet posts – meaning “there will be no hiding from the fact that you were hit with a DDoS attack,” said Bolstridge.

Bosnian, by the way, raised a particularly creepy thought: Are your data centers protected against conscription into the Izz ad-Din al-Qassam Cyber Fighters’ DDoS network? The present backbone of the attack is hijacked systems – typically owned by legitimate businesses with no clue that their computers are waging war on U.S. financial institutions. “If your systems are hijacked they can be used as a weapon. You need to prevent that,” said Bosnian.

Stay tuned: there will be more DDoS coverage in future columns because, right now, this is the biggest security topic in banking. The next focus: how vulnerable are corporate credit unions?